LinuxQuestions.org - Password Protect Folder??

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - Password Protect Folder?? (https://www.linuxquestions.org/questions/linux-software-2/password-protect-folder-343903/)

Password Protect Folder??

I am trying to password protect individual files/folders under ubuntu 5.04 without having to not give give access to the whole drive to others besdies root. Are there any programs or preinstalled apps to do this?

Any information appreciated

by default, only a given user, and root, can read the files in that given users home directory.

you can test this on your distro by simply going into another users directory and trying to read his/her files.

if this isnt good enough, you could look into encrypting teh files in question.

I would suggest, in this order of preference:
A) Use the standard permission mechanism instead of passwords.
B) Encrypt the files
C) Write a program that prompts for a password, then fetches the files requested. Run this program suid root.

how do i go about encrypting files and where can i get a script or how do i write the script that promts for a password?

Quote:

how do i go about encrypting files

http://www.bigbold.com/snippets/posts/show/341
You may want to choose another cipher than the one in the example. See man openssl.

Quote:

where can i get a script or how do i write the script that promts for a password?

A) I don't know where to get the script.
B) Are you sure you want a suid script?
C) Have a look at perl-suid.
D) The script itself should be straightforward:
1. the script is invoked /usr/local/bin/getfile.pl /path/to/original/file /where/to/put/it
2. the script prompts for a password
3. the script hashes the password and compares it to the one stored in a file that contains filename-hash pairs
4. if the passwords match, the script copies /path/to/original/file to /where/to/put/it and chowns it to the appropriate user
5. The user can now have access to the copied file, while only root could access the original.
E) The most important part will be securing the script. (i.e. what happens if /path/to/original/file is not in the database? , what happens if the user does not have access to /where/to/put/it?, etc.)
Sample attack based on bad checking of the output file in this script:

Code:

# /usr/local/bin/getfile.pl /path/to/a/file/i/have/the/password/for /etc/shadow

Password:<input password>

password accepted.

Copying /path/to/a/file/i/have/the/password/for to /etc/shadow...

chowning /etc/shadow...

done!

# ls -l /etc/shadow

-rw-rw-r--  1 me mygroup 1928 2005-07-16 20:49 /etc/shadow

# nano /etc/shadow

You're screwed!

By "access" do you mean the ability to (1) examine what files exist, (2) take non-destructive action on files, or (3) delete files? If it's one of these specifically, you can accomplish this very easily through the builtin UNIX access restrictions for directories: (1) read, (2) execute, and (3) write, for each of the corresponding numbers above, on the parent directory in question. Also, keep in mind that the "user" owner of a file doesn't have to be in the "group" owner. One last note: you can modify (but not delete) a file by having execute-only permission on the parent directory, but you have to know the exact name of the file (can't use `ls` to figure it out).